Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)

Background

Mura CMS is a popular content management system written in ColdFusion/CFML. While it was originally a commercial open source product, it was re-licensed as a closed source application with the release of Mura CMS v10 in 2020.  There are forked open source projects based on the last open source release of Mura CMS, including Masa CMS - which is actively maintained.

Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an unauthenticated attacker to login as any Site Member or System User.

Preliminary Security Advisory - Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)

Update March 6, 2023 - the full security advisory has been posted here: https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html

This is a preliminary security advisory, and is being shared so that impacted organizations can update and patch as needed.  Additional technical details will be released on March 6, 2023.

Background:

Mura CMS is a popular content management system written in ColdFusion/CFML. While it was originally a commercial open source product, it was re-licensed as a closed source application with the release of Mura CMS v10 in 2020.  There are forked open source projects based on the last open source release of Mura CMS, including Masa CMS - which is actively maintained.

Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an  unauthenticated attacker to login as any Site Member or System User.

On ColdFusion, XXE, and other XML Attacks

An Introduction

This is the first of what may become a few blog posts based on my CFSummit 2022 talk.  Plus with the release of Adobe Security Bulletin APSB22-44 in October -- which fixed some security bugs that I reported and  improved the available ColdFusion XML security options -- I figured this was also a good opportunity to pull together some ColdFusion XML security best practices into one place.

XML data can live in lots of places, beyond the obvious instances of .xml files and XML-like file formats.  RSS Feeds.  REST API requests and responses.  SAML and SOAP messages.  Office Open XML files such as DOCX, XLXS, PPTX, etc.  And several file formats (such as PDF and PNG) include metadata fields that can contain XML.  

If your application consumes and processes XML, then XML eXternal Entities (XXE) is a vulnerability class that you need to be aware of and protect against.

Slides from ColdFusion Summit 2022 - "Below the Surface: Web Vulnerabilities Hiding in your Applications"

Photo credit: @coldfumonkeh

I attended my first CFSummit, where I talked about a handful of web vulnerability classes (SSRF, Session Puzzles, Cryptography flaws, and XML attacks) that might be overlooked by some ColdFusion/CFML developers.  It was a great conference, and I'm looking forward to returning for future events!  My slides are shared below, and I may turn some of the content into forthcoming blog posts.  

Bygone Vulnerabilities - Remote Code Execution in IBM Lotus SameTime Clients (CVE-2013-0553)

Introduction

It's time to dive into another old vulnerability.  Let's go back to 2013.  Argo lit up the silver screen.  The dulcet sounds of Daft Punk filled the air.  And the kids would tick-tock away the hours online in six-second blocks watching funny Vines.

Old vulnerabilities are interesting history lessons.  They capture information about techniques that worked in the past and still could be applicable to modern software today.  They also provide guidance to modern software developers of some potential risks and pitfalls to avoid when building applications. 

Two One-liners for Quick ColdFusion Static Analysis Security Testing

 I want to find all of the security bugs.  I'm sure you do too.  

(Click here to skip all the background info and just jump to the two one-liners.) 

Some security bug classes are easy to find at scale through automated dynamic security scanning.  Maybe you're also doing some manual application penetration testing.  And maybe you can invest the time to perform in-depth manual code review of important portions of an application, such as core libraries and high-value actions.  But a high-impact vulnerability -- such as remote code execution -- in an insignificant, overlooked portion of your codebase can ruin your day.  Automated code review needs to play a part in any software security effort.

Stupid Unix Tricks - Using $IFS in Web Application Command Injection Vulnerabilities for Full RCE

Awhile ago I was testing a web application and found a command injection vulnerability.  The payload could be sent via an email address field, so something like:

{7*7}@foo.com

returned:

User 49@foo.com not found

Bygone Vulnerabilities - Remote Code Execution in Oracle Reports 10g/11g

Looking back at old vulnerabilities can be both fun and useful.  Part history, part nostalgia, and still a healthy dose of understanding the technical innerworkings of some software or system.  I'm sure that George Santayana would agree.  I had planned to go into detail about a bygone vulnerability I found a long time ago in Oracle Reports, but for now this is just a teaser.